On 02/12/2014 01:07 PM, Alexander Bokovoy wrote:
> On Wed, 12 Feb 2014, Tamas Papp wrote:
>> hi All,
>> $ ldapsearch -x -D uid=USER,cn=users,cn=compat,dc=foo -h localhost -w
>> `cat pw`
>> ldap_bind: Referral (10)
>> [12/Feb/2014:12:54:15 +0100] conn=25363 fd=79 slot=79 connection from
>> ::1 to ::1
>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 BIND
>> dn="uid=USER,cn=users,cn=compat,dc=foo" method=128 version=3
>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=0 RESULT err=10 tag=97
>> nentries=0 etime=0
>> [12/Feb/2014:12:54:15 +0100] conn=25363 op=-1 fd=79 closed - B1
>> System is Centos 6.5 and ldap was migrated from IPA 3.3 (Fedora 20).
>> Non-compat authentication works fine and authorization against compat is
>> also fine.
>> What is err=10?
> slapi-nis module in RHEL 6.x (and CentOS) does not support bind against
> compat tree. We added this feature only in Fedora 20 (and RHEL 7 beta).
> In older versions slapi-nis issues LDAP referral to the original LDAP
> entry with the hope that an LDAP client would follow it and perform a
> bind against the referral.
> Unfortunately, there is virtually no client software that supports the
> referral on bind operation.
> In short, you cannot do LDAP bind against compat tree in RHEL before
I forgot to mention, the client would be Ubuntu 12.04 and it
works/worked with IPA 3.3 and F20.
If I understand correctly, you're referring to the client side, are you?
Or it is true for the server side as well?
Freeipa-users mailing list